Socks proxy disables Safari and Mail

[exthree]

For reasons not understood, the "Socks" proxy box is checked and that disables my Safari browser and Apple Mail. In fact I think the entire communications on wifi or ethernet is disables when checked. What is doing this and how to prevent in the future?

 

[Simple714]

For reasons not understood, the "Socks" proxy box is checked and that disables my Safari browser and Apple Mail. In fact I think the entire communications on wifi or ethernet is disables when checked. What is doing this and how to prevent in the future?

I've seen that when adware/malware is installed on the computer. Recommend checking into that and getting a cleanup done!

 

[Brian33]

Yeah, I'd bet its some sort of adware/malware; I've read someone's post here who had that same thing happen. Don't remember how he tracked it down, though. I've seen several posters recommend MalwareBytes (free).

If it were me I'd check all of the locations that contain the startup info for LaunchDaemons and LaunchAgents. These are programs that can be started automatically, either at system bootup or user login time. Each has a ".plist" file in one of these locations:

/Library/LaunchAgents
/Library/LaunchDaemons
/Users/your-username-here/Library/LaunchAgents

If installed, you'll see items for things like Dropbox, Steam, Adobe, various backup programs, etc. They should all be things you purposefully installed. If you find a suspicious one you can look inside the .plist to find out what executable it's pointing to.

 

[exthree]

Hi,

I'm not a power user and the "socks proxy" issue started after I downloaded a duplicate photo elimination app from the Apple App Store. It didn't seem to work, so that was a tipoff.

Can I simply delete these .plist files when I find them?

TYVM!

 

[Brian33]

If you can confidently identify the one you don't want, then yes, you can simply delete that .plist file and it will stop the associated program from running automatically. (Unless the .plist is re-created somehow, by running the "bad" program again, for example.)

There's a good chance you can identify the problem .plist by comparing its filename to the name of the app you downloaded. But note that the filename doesn't have to match the app name, so there's the possibility that the app developer chose some innocuous-sounding filename just to be maliciously sneaky.

You can open these .plist files with any text editor (e.g., TextEdit.app). After the line that contains "ProgramArguments" is a line that gives the exact location of the executable (within the .app package). This can tell you that you're deleting the right .plist file.

If the .plist file is located in one of the system /Library locations, you'll need to use your admin password to delete it (this won't be the case if it's in your login user's Library). I'm more of a command-line user (in which case one would use the sudo command) but I think you can delete it using Finder and it should just prompt for admin credentials. You can use Finder's "Go-->Go to Folder" menu item to get to the locations I listed previously.

As aside, a program that modifies your socks proxy like that shouldn't be in the Mac App Store at all! I wonder if there's a way to report such violations. Doing so could be a good deed for other users...

 

[exthree]

Brian333,

Thank you very much for your suggestion. I downloaded the MalwareBytes, it scanned my files and identified the .plist files that were contaminating my MacBook. I deleted the files and problem solved!!

Best Regards,
Peter F.